Skip to main content

MFA

Type: MFA Provider Packages

Available Providers

PackageMethodInstallation
@nauth-toolkit/mfa-totpTOTP (Authenticator apps)yarn add @nauth-toolkit/mfa-totp
@nauth-toolkit/mfa-smsSMS codesyarn add @nauth-toolkit/mfa-sms
@nauth-toolkit/mfa-emailEmail codesyarn add @nauth-toolkit/mfa-email
@nauth-toolkit/mfa-passkeyWebAuthn/FIDO2yarn add @nauth-toolkit/mfa-passkey

Configuration

OptionTypeDefaultDescription
enabledbooleanfalseEnable MFA
enforcementstring'OPTIONAL''OPTIONAL' | 'REQUIRED' | 'ADAPTIVE'
allowedMethodsMFAMethod[]AllAllowed methods
issuerstringApp nameTOTP issuer name

Usage

import { TOTPMFAModule } from '@nauth-toolkit/mfa-totp/nestjs';

@Module({
  imports: [
    AuthModule.forRoot({
      mfa: {
        enabled: true,
        enforcement: 'OPTIONAL',
        allowedMethods: [MFAMethod.TOTP, MFAMethod.SMS],
      },
    }),
    TOTPMFAModule,
  ],
})
export class AppModule {}

MFAMethod Enum

enum MFAMethod {
  TOTP = 'totp',
  SMS = 'sms',
  EMAIL = 'email',
  PASSKEY = 'passkey',
  BACKUP = 'backup',
}

IMFAProviderService Interface

interface IMFAProviderService {
  /** Unique method name for this provider (e.g., 'totp', 'sms', 'passkey') */
  readonly methodName: string;

  /** Check if this method is allowed by configuration */
  isMethodAllowed(): boolean;

  /** Initiate MFA setup. Returns provider-specific setup data. */
  setup(setupData?: unknown): Promise<unknown>;

  /** Verify setup and create MFA device. Returns device ID. */
  verifySetup(verificationData: unknown, deviceName?: string): Promise<number>;

  /** Verify MFA code/credential during authentication */
  verify(code: unknown, deviceId?: number): Promise<boolean>;

  /** Send challenge (SMS code, passkey options). Optional — not needed for TOTP. */
  sendChallenge?(challengeSessionId?: number): Promise<unknown>;

  /** Generate single-use backup recovery codes. Optional. */
  generateBackupCodes?(): Promise<string[]>;
}

Providers

Last updated on